blog

Latest Security Vulnerability of the Week 3/10/22 – Application Security – Cloud – Vulnerability – Exchange Zero Day & Mitigations, bitbucket, cobalt stike

Latest Security Vulnerability of the Week 3/10/22 - Application Security - Cloud Security - Infrastructure Security - cobaltstrike microsoft excahnge vulnerability bitbucket vulnerability

Previous Issues of vulnerability Weekly



This week we deep dive into Exchange zero-day and large-scale exploit, cobalt strike, bitbucket.



INFRA/Network

Two new Microsoft Exchange zero-days exploited in the wild from Chinese ATP

On September 30th two vulnerabilities have been discovered in a large attack.

On September 29 a Vietnamese researcher warned the ATP was targeting exchange servers with RCE directly on the system.

As RCE is a category of devastating attacks as they allow an attacker to further deploy payloads and additional exploits. 

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, requiring federal agencies to apply the patches by October 21, 2022.

Microsoft issued the statement: 

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Microsoft has recently published.  

CVE-2022-41040 

CVE-2022-41082

Mitigation: 

Alert as highly exploitable (especially 41040). The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns

On-premises exchange:

“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules.
  6. Select Request Blocking and click OK.
  7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
  8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
  9. Change the condition input from {URL} to {REQUEST_URI}

Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

  • HTTP: 5985
  • HTTPS: 5986

On-premises exchange follow the recommendations: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ 

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. https://aka.ms/EOMTv2 

Currently, there are 318,382  server exposed with exchange running

At the time of attack USA, Japan, and UK/Germany were the targets of ATP coming from China

CVE-2022-41040, is a Server-Side Request Forgery (SSRF) – 

A vulnerability has been found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact, it is known to affect confidentiality, integrity, and availability.

The weakness was published 09/30/2022. The advisory is available at msrc-blog.microsoft.com. This vulnerability was named CVE-2022-41040. Technical details are unknown but an exploit is available. 

The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation from vulndb) even tough exploit was developed by 

It is declared as highly functional.

It is possible to mitigate the problem by applying the configuration setting.

Why EPSS alone was not active – EPSS currently is scoring vulnerabilities at 0.0 (data still needs to be retrieved)

CTI information gives a range from 8 to now 5 after successful mitigation

CVE-2022-41082– Microsoft Advisory

Currently actively exploited in the wild with persistance – exploit is less active than CVE-2022-41040,

A vulnerability was found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This issue affects an unknown code of the component PowerShell Handler. Impacted are confidentiality, integrity, and availability.

The weakness was released on 09/30/2022. It is possible to read the advisory at msrc-blog.microsoft.com. The identification of this vulnerability is CVE-2022-41082. Technical details are unknown, but an exploit is available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation from vulndb).

BitBucket Server vulnerability hack CISA warns agencies. 

U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian’s Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalogue, citing evidence of active exploitation.

CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request.

“All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected; this means that all instances running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,” Atlassian noted in a late August 2022 advisory.

The shortcoming discovered and reported by security researcher @TheGrandPew impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer –

  • Bitbucket Server and Datacenter 7.6
  • Bitbucket Server and Datacenter 7.17
  • Bitbucket Server and Datacenter 7.21
  • Bitbucket Server and Datacenter 8.0
  • Bitbucket Server and Datacenter 8.1
  • Bitbucket Server and Datacenter 8.2, and
  • Bitbucket Server and Datacenter 8.3

“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian said in an advisory.

Currently, there are 166 Publicly exposed bitbuckets. Exposing Bitbucket is not recommended. 

https://www.shodan.io/search?query=bitbucket

Cobalt Strike beacon disguised as job advert.

Cobalt Strike | Adversary Simulation and Red Team Operations

The renowned attack platform cobalt strike has been targeted by attackers with a malware campaign distributed by documents and disguised as job advertisements.

Several exploits in the wild with Remote Code Execution 

“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new Wednesday analysis.

Together with this attack Cobalt strike was found with a vulnerability. 

Official Registration as medium CVSS score for CVE-2022-39197 

An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7, allowing a remote attacker to execute HTML on the Cobalt Strike team server. To exploit the vulnerability, one must first inspect a Cobalt Strike payload and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).

The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.

Cobalt Strike Beacons
Cobalt Strike Beacons

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.

“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”

Official Statement from HelpSystem maintainer of Cobalt stike

An independent researcher identified as “Beichendream” contacted us about an XSS vulnerability they discovered in the team server. This would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely. We created a CVE for this issue which has been fixed.

Official advisory: https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/ 

As several exploit attempts of the platform, avoids using or exposing cobalt strike software.

Also be wary of any attachment or report  

Currently, there are 1949 cobalt strike exposed system recorded in shodan 

Previous Issues of vulnerability Weekly




Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Owasp top 10 has been a pillar over the years; sister to CWE – Common Weakness Enumeration we provide an overview of the top software vulnerabilities and web application security risks with a data-driven approach focused on helping identify what risk to fix first.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Asset and Vulnerability Management – Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
With cyber threats growing in sophistication, understanding exploitability has become crucial for security teams to prioritize vulnerabilities effectively. This article explores the key factors that influence the likelihood of exploits in the wild, including attack vectors, complexity levels, privileges required, and more. You’ll learn how predictive scoring systems like EPSS are bringing added dimensions to vulnerability analysis, going beyond static scores. We discuss the importance of monitoring verified threat feeds and exploiting trends from reliable sources, instead of getting distracted by unverified claims and noise. Adopting a risk-based approach to prioritization is emphasized, where critical vulnerabilities are addressed not just based on CVSS severity, but also their likelihood of being exploited and potential business impact. Recent major exploits like Log4Shell are highlighted to stress the need for proactive security. Equipped with the insights from this guide, you’ll be able to implement a strategic, data-backed approach to focusing on the most pertinent risks over the barrage of vulnerabilities.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Improved Management your Vulnerabilities and Assets Display “Closed” vulnerabilities list page Display vulnerability stats in Asset screens Override asset exposure for whole Apps/Envs Filter on-screen dynamic statistical and insights Risk-based Posture Management Update risk formula structure Update Vuln risk formula factors Integrations Configure “vulnerability types” fetched from SonarCloud/SonarQube Users can manually trigger a “scanner refresh” Update Jira tickets when the associated vulnerability is closed Other Improvements Handle large number of items in Treemap chart Improved scanner flow: don’t fetch targets until needed Improved performance of MTTR queries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO